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Abstract 

Device-independent quantum key distribution (DIQKD) represents a relaxation of the se- 
curity assumptions made in usual quantum key distribution (QKD). As in usual QKD, the 
security of DIQKD follows from the laws of quantum physics, but contrary to usual QKD, it 
does not rely on any assumptions about the internal working of the quantum devices used in 
the protocol. We present here in detail the security proof for a DIQKD protocol introduced in 
[Phys. Rev. Lett. 98, 230501 (2008)]. This proof exploits the full structure of quantum theory 
(as opposed to other proofs that exploit the no-signalling principle only), but only holds again 
collective attacks, where the eavesdropper is assumed to act on the quantum systems of the 
honest parties independently and identically at each round of the protocol (although she can 
act coherently on her systems at any time). The security of any DIQKD protocol necessarily 
relies on the violation of a Bell inequality. We discuss the issue of loopholes in Bell experiments 
in this context. 
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1 



1 Introduction 



Device-independent quantum key distribution (DIQKD) protocols aim at generating a secret key 
between two parties in a provably secure way without making assumptions about the internal 
working of the quantum devices used in the protocol. In DIQKD, the quantum apparatuses are 
seen as black boxes that produce classical outputs, possibly depending on the value of some classical 
inputs (see Fig. [I]). These apparatuses are thought to implement a quantum process, but no 
hypothesis in terms of Hilbert space, operators, or states are made on the actual quantum process 
that generates the outputs given the inputs. 

DIQKD can be thought of by contrasting it with usual quantum key distribution (QKD). In its 
entanglement-based version [T], traditional QKD involves two parties, Alice and Bob, who receive 
entangled particles emitted from a common source and who measure each of them in some chosen 
bases. The measurement outcomes are kept secret and form the raw key. As the source of particles 
is situated between Alice's and Bob's secure locations, it is not trusted by the parties, but assumed 
to be under the control of an eavesdropper Eve. The eavesdropper could for instance have replaced 
the original source by one who produces states that give her useful information about Alice's and 
Bob's measurement outcomes. However, by performing measurements in well-chosen bases on a 
random subset of their particles and by comparing their results, Alice and Bob can estimate the 
quantum states that they receive from the eavesdropper and decide whether a secret key can be 
extracted from them. 

In a device-independent analysis of this scenario, Alice and Bob would not only distrust the 
source of particles, but they would also distrust their measuring apparatuses. The measurement 
directions may for instance drift with time due to imperfections in the apparatuses, or the entire 
apparatuses may be untrusted because they have been fabricated by a malicious party. Alice and 
Bob have therefore no guarantee that the actual measurement bases corresponds to the expected 
ones. In fact they cannot even make assumptions about the dimension of the Hilbert space in which 
they are defined. In DIQKD, Alice and Bob have thus to bound Eve's information by looking for 
the worst combination of states and measurements (in Hilbert spaces of arbitrary dimension) that 
are compatible with the observed classical input-output relations. In contrast, in usual QKD Alice 
and Bob have a perfect knowledge of the measurements that are carried out and of the Hilbert 
space dimension of the quantum state they measure, and they exploit this information to bound 
the eavesdropper's information when they look for the worst possible states compatible with their 
observed data. 

1.1 Why DIQKD? 

DIQKD represents a relaxation of the security assumptions made in usual QKD. In this sense, it 
fits in the continuity of a series of works that aim to design cryptographic protocols secure against 
more and more powerful eavesdroppers. 

From a fundamental point of view, DIQKD shows that the security of a cryptographic scheme 
is possible based on a minimal set of fundamental assumptions. It only requires that: 

• Alice's and Bob's physical locations are secure, i.e., no unwanted information can leak out to 
the outside; 

• they have a trusted random number generator, possibly quantum, producing a classical ran- 
dom output; 
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Figure 1: Schematic representation of the DIQKD scenario. Alice and Bob see their quantum 
devices as black boxes producing classical outputs, a and b, as a function of classical inputs X and 
Y. From the observed statistics, and without making any assumption on the internal working of 
the devices, they should be able to conclude whether they can establish a secret key secure against 
a quantum eavesdropper. 



• they have trusted classical devices (e.g., memories and computing devices) to store and process 
the classical data generated by their quantum apparatuses; 

• they share an authenticated, but otherwise public, classical channel (this hypothesis can be 
ensured if Alice and Bob start off with a small shared secret key); 

• quantum physics is correct. 

Other than these prerequisites, shared by all QKD protocols, no others are necessary. In addition to 
these essential requirements, usual QKD protocols assume that Alice and Bob have some knowledge 
about their quantum devices. 

From a practical point of view, DIQKD resolves some of the drawbacks of usual QKD. Usual 
security proofs of QDK make several assumptions about the quantum systems, such as their Hilbert 
space dimension. These assumptions are often critical: as we show below, the security of the BB84 
protocol, for instance, is entirely compromised if Alice and Bob share four-dimensional systems 
instead of sharing qubits as usually assumed. The problem is that real-life implementation of QKD 
protocols may differ from the ideal design. For instance, the quantum apparatuses may be noisy or 
there may be uncontrolled side channels. A possible, but challenging, way to address these problems 
would be to characterize very precisely the quantum devices and try to adapt the security proof to 
the actual implementation of the protocol. The concept of device-independent QKD, on the other 
hand, applies through its remarkable generality in a simple way to these situations as it allows us 
to ignore all implementation details. 

DIQKD makes it also easier to test the components of a QKD protocol. Since its security relies 
on the observed classical data generated by the devices, errors or deterioration with time of the 
internal working of the quantum devices, which could be exploited by an eavesdropper, are easily 
monitored and accounted for in the key rate. 

A third practical motivation for DIQKD is that it covers the adverse scenario where the quantum 
devices are not trusted. For instance, someone who had access to the quantum apparatuses at 
some time might have hacked or modified their mechanism. But if the devices still produce proper 
classical input-output relations, which is all what is required, this is irrelevant to the security of the 
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scheme. To some extent DIQKD overturns the adage that the security of a cryptographic system 
is only as good as its physical security. Of course an eavesdropper who had access to the quantum 
devices might have modified their working so that they directly send her information about the 
measurement settings and outcomes. But this goes against the basic requirement that Alice's and 
Bob's locations should be completely secure against Eve's scrutiny - a necessary requirement for 
cryptography to have any meaning. It is modulo this assumption, that the eavesdropper is free to 
tamper with their devices. 

1.2 Usual QKD protocols are not secure in the device-independent scenario 

A consequence of adopting a more general security model is that traditional QKD protocols may 
no longer be secure, as illustrated by the following example. 

Consider the entanglement-based version of BB84 [2] . Alice has a measuring device that takes 
a classical input X G {0, 1} (her choice of measurement setting) and that produces an output a G 
{0, 1} (the measurement outcome). Similarly, Bob's device accepts inputs Y G {0, 1} and produce 
outputs b G {0,1}. Both measuring devices act on a two-dimensional subspace of the incoming 
particles (e.g., the polarization of a photon). The setting "0" is associated to the measurement 
of a x , while the setting "1" corresponds to a z . Suppose that in an ideal, noise- free situation they 
observe the following correlations: 

P(a6|00) = P(ab\ll) = 1/2 ifa = 6 

P(a&|01) = P(ab\10) = 1/4 for all a, 6, (1) 

where P(ab\XY) is the probability to observe the pair of outcomes a, b given that they have 
made measurements X, Y. That is, if Alice and Bob perform measurements in the same bases, 
they always get perfectly correlated outcomes; while if they measure in different bases, they get 
completely uncorrelated random outcomes. In term of the measurement operators a x and a z and 
the two-qubit state G C 2 (g>C 2 that characterizes their incoming particles, the above correlations 
can be rewritten as 

{ip\a x ® a x \if)) = (ip\a z <g> a z \ip) = 1 

WWx ® <rzW> = &Wz ® <r x \i>) = o. (2) 

The only state compatible with this set of equations is the maximally entangled state ( 1 00) + 
|ll))/\/2- Alice and Bob therefore rightly conclude that they can safely extract a secret key from 
their measurement data. 

In the device-independent scenario, however, Alice and Bob can no longer assume that the 
measurement settings "0" and "1" correspond to the operators a x and a z , nor that they act on 
the two-qubit space C 2 <g> C 2 . It is then not difficult to find separable (hence insecure) states that 
reproduce the measurement data (pQ) for appropriate choice of measurements [U Hj . An example is 
given by the C 4 (g> C 4 state 

1 1 

PAB = 4 Y (\ z o z i)( z oZi\) A (\z z 1 )(z zi\) B , (3) 

zo>zi=0 

where the vectors |0) and |1) define the z basis, and by the measurements o z ® I for the setting 
"0" and I ' (g) o z for the setting "1" . Clearly this combination of state and measurements reproduce 
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the correlations (pQ): Alice and Bob find completely correlated outcomes when the use the same 
measurement settings, and completely uncorrelated ones otherwise. In contrast to the previous 
situation, however, Eve can now have a perfect copy of the local states of Alice and Bob, for 
instance if they share the tripartite state 

1 1 

PABE = J ^2 (\ Z Z 1){ z Q z i\)a ® {\ZQZl){ZQZl\)B ® (\ z Z\) {ZQ z l\) E ■ (4) 
x,z=0 

This example illustrates the fact that in the usual security analysis of BB84 it is crucial to assume 
that Alice and Bob measurements act on a two-dimensional space, a condition difficult to check 
experimentally. If we relax this assumption, the security is no longer guaranteed. 

1.3 How can DIQKD possibly be secure? 

Understanding better why usual QKD protocols are not secure in the device-independent scenario 
may help us identify physical principles on which to base the security of a device-independent 
scheme. A first observation is that the correlations (p]) produced in BB84 are classical: we don't 
need to invoke quantum physics at all to reproduce them. They can simply be generated by a set of 
classical random data shared by Alice's and Bob's systems — in essence this is what the separable 
state ([2]) achieves. Formally, they can be written in the form 

P{ab\XY) = P(A) D(a\X, A) D(b\Y, A) (5) 

A 

where A is a classical variable with probability distribution P(X) shared by Alice's and Bob's devices 
and D(a\X, A) is a function that completely specifies Alice's outputs once the input X and A are 
given (and similarly for D(b\Y, A) ). An eavesdropper might of course have a copy of A, which would 
give her full information about Alice's and Bob's outputs once the inputs are announced. 

This trivial strategy is not available to the eavesdropper, however, if the outputs of Alice's and 
Bob's apparatuses are correlated in a non-local way, in the sense that they violate a Bell inequality 
[5]. Indeed, non-local correlations are defined precisely as those that cannot be written in the form 
([5]). The violation of a Bell inequality is thus a necessary requirement for the security of QKD 
protocol in the device-independent scenario. This condition is clearly not satisfied by BB84. 

More than a necessary condition for security, non-locality is the physical principle on which all 
device-independent security proofs are based. This follows from the fact that non-local correlations 
require for their generation entangled states, whose measurement statistics cannot be known com- 
pletely to an eavesdropper. To put it in another way, Bell inequalities are the only entanglement 
witnesses that are device-independent, in the sense that they do not depend on the physical details 
underlying Alice's and Bob's apparatuses. 

1.4 Earlier works and relation to QKD against no-signalling eavesdroppers 

The intuition that the security of a QKD scheme could be based on the violation of a Bell inequality 
was at the origin of Ekert's 1991 celebrated proposal [6j. The crucial role that non-local correla- 
tions play in a device-independent scenario was also implicitly recognized by Mayers and Yao [7]. 
Quantitative progress, however, has been possible only recently thanks to the pioneering work of 
Barrett, Hardy, and Kent [8j. Barrett, Hardy, and Kent proved the security of QKD scheme against 
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general attacks by a supra-quantum eavesdropper that is limited by the no-signalling principle only 
(rather than the full quantum formalism). This is possible because once the no-signaling condition 
is assumed, nonlocal correlations satisfy a monogamy condition analogous to that of entanglement 
in quantum theory [9]. Since quantum theory satisfies the no-signalling condition, security against 
a no-signalling eavesdropper implies security in the device-independent scenario. 

Barrett, Hardy, and Kent's result is a proof of principle as their protocol requires Alice and 
Bob to have a noise-free quantum channel and generates a single shared secret bit (but makes 
a large number of uses of the channel). A slight modification of their protocol based on the 
results of [10] enables the generation of a secret key of log 2 d bit if Alice and Bob have a channel 
that distributes d-dimensional systems. Barrett, Hardy, and Kent's work was extended to noisy 
situations and non- vanishing key rates in [U [TT1 [T2] , though these works only considered security 
against individual attacks, where the eavesdropper is restricted to act independently on each of 
Alice's and Bob's systems. Masanes et aJ. introduced a security proof valid against arbitrary 
attacks by an eavesdropper that is not able to store non-classical information [13]. This result was 
improved by Masanes [14] who proved security in the universally-composable sense, the strongest 
notion of security. Although the last two results take into account eavesdropping strategies that act 
collectively on systems corresponding to different uses of the devices, they require the no-signalling 
condition to hold not only between the devices on Alice's and on Bob's side, but also between all 
individual uses of the quantum device of one party. This condition can be enforced, although not 
in a practical manner, by having the parties use in parallel N devices that are space-like separated 
from each other, rather than using sequentially a single device N times. 

There are fundamental motivations to study the security of QKD protocols against no-signalling 
eavesdroppers (NSQKD); this improves for instance our understanding of the relationship between 
information theory and physical theories. From a practical point of view, it is also interesting to 
develop cryptographic schemes that rely on physical principles independent from quantum theory 
and thus that could be guaranteed secure even if quantum theory were ever to fail. 

However, given that for the moment we have no good reasons (apart possibly theoretical ones) 
to doubt the validity of quantum theory, nor evidences that a hypothetical breakdown of quantum 
theory would signify the immediate end of quantum key distribution^, it is advantageous to exploit 
the full quantum formalism in the device- independent context. First of all, as the entire quantum 
formalism is more constraining than the no-signalling principle alone, we expect to derive higher 
key rates and better noise resistance in the quantum case (for instance, the proof of general security 
given in [14] has a key rate and a noise-resistance that is not practical when applied to quantum 
correlations). A second advantage is that, from a technical point of view, we can exploit in proving 
security all the theoretical framework of quantum theory - as opposed to a single principle. We 
may, in particular, use existing results such as de Finetti theorems, efficient privacy amplification 
schemes against quantum adversaries, etc. (but might also have to derive new technical results 
that may find applications in other contexts). 

1.5 Content and structure of the paper 

Here we prove the security of a modified version of the Ekert protocol [6], proposed in Ref. |llj . 
Our proof, already introduced in [15], exploits the full quantum formalism, but is restricted to 

For instance, quantum physics might only breakdown at an energy scale that would remain unaccessible to human 
control for ages. 
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collective attacks, where Eve is assumed to act independently and identically at each use of the 
devices, though she can act coherently at any time on her own systems. In the usual security 
model, security against collective attacks implies security against the most general type of attacks 
|16j . It is an open question whether this is also true in the device-independent scenario. In the 
protocol that we analyze, Alice and Bob bound Eve's information by estimating the violation of 
the Clauser-Horne-Shimony-Holt (CHSH) inequality [T7j. Our main result is a tight bound on the 
Holevo information between Alice and Eve as a function of the amount of violation of the CHSH 
inequality. The protocol that we use, our security assumptions, and our main result are presented 
in Section 2. In particular, we present in Subsection 2.4 all the details of our security proof, which 
was only sketched in |15j . 

It is crucial for the security of DIQKD that Alice's and Bob's outcomes genuinely violate a Bell 
inequality. All experimental tests of non- locality that have been made so far, however, are subject 
to at least one of several loopholes and therefore admit in principle a local description. We discuss 
in Section 3 the issue of loopholes in Bell experiments from the perspective of DIQKD. 

Finally, we conclude with a discussion of our results and some open questions in Section 4. 

2 Results 

2.1 The protocol 

The protocol that we study is a modification of the Ekert 1991 protocol [6] proposed in Ref. |llj . 
Alice and Bob share a quantum channel consisting of a source that emits pairs of particles in an 
entangled state pab- Alice can choose to apply to her particle one out of three possible measure- 
ments Aq, A\ and A2, and Bob one out of two measurements B\ and B2- All measurements have 
binary outcomes labeled by m, bj £ {+1, — 1}. 

The raw key is extracted from the pair {Aq,Bi}. The quantum bit error rate (QBER) is 
defined as Q = P(a ^ b\01). This parameter estimates the amount of correlations between Alice's 
and Bob's symbols and thus quantifies the amount of classical communication needed for error 
correction. The measurements A%, A2, Bi, and B2 are used on a subset of the particles to estimate 
the CHSH polynomial 

S = (ai&i) + (aib 2 ) + (a 2 6i) - {a 2 b 2 ) , (6) 

where the correlator (cubj) is defined as P (a = b\ij) — P (a 7^ b\ij). The CHSH polynomial is used 
by Alice and Bob to bound Eve's information and, thus, governs the privacy amplification process. 
We note that there is no a priori relation between the value of S and the value of Q: these are two 
parameters which are available to estimate Eve's information. 

Without loss of generality, we suppose that the marginals are random for each measurement, 
i.e., (di) = (bj) = for all i and j. Were this not the case, Alice and Bob could achieve it a 
posteriori through public one-way communication by agreeing on flipping randomly a chosen half 
of their bits. This operation would not change the value of Q and S and would be known to Eve. 

A particular implementation of our protocol with qubits is given for instance by the noisy two- 
qubit state pab = p|<& + )(3> + | + (1 — p)J/4 and by the qubit measurements Aq = B% = cr z , B2 = cr x , 
A\ = (a z + a x )/y/2 and A2 = (a z — a x )/\/2, which maximize the CHSH polynomial for the state 
PAB- The state pab corresponds to a two-qubit Werner state and arises, for instance, from the state 
|$ + ) = 1/ \/2(|00) + |11)) after going through a depolarizing channel, or through a phase-covariant 
doner. The resulting correlations satisfy S = 2\^2p and Q = 1/2 — p/2, i.e., S = 2y/2(l — 2Q). 
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Though these correlations can be generated in the way that we just described, it is important to 
stress that Alice and Bob do not need to assume that they perform the above measurements, nor 
that their quantum systems are of dimension 2, when they bound Eve's information. 

In the case of classically correlated data (corresponding to p < l/y/2 for the above correlations), 
the maximum of the CHSH polynomial © is 2, which defines the well-known CHSH Bell inequality 
S < 2. Secure DIQKD is not possible if the observed value of S is below this classical limit, since 
in this case there exists a trivial attack for Eve that gives her complete information, as discussed 
in Subsection 1.3. On the other hand, at the point of maximal quantum violation S = 2y/2 
(corresponding to p = 1 for the above correlations), Eve's information is zero. This follows from 
the work of Tsirelson [18] , who showed that any quantum realization of this violation is equivalent to 
the case where Alice and Bob measure a two-qubit maximally entangled state. The main ingredient 
in the security proof of our DIQKD protocol is a lower bound on Eve's information as a function 
of the CHSH value. This bound allows us to interpolate between the two extreme cases of zero and 
maximal quantum violation and yields provable security for sufficiently large violations. 

2.2 Eavesdropping strategies 
Most general attacks 

In the device-independent scenario, Eve is assumed not only to control the source (as in usual 
entanglement-based QKD), but also to have fabricated Alice's and Bob's measuring devices. The 
only data available to Alice and Bob to bound Eve's knowledge is the observed relation between the 
inputs and outputs, without any assumption on the type of quantum measurements and systems 
used for their generation. 

In complete generality, we may describe this situation as follows. Alice, Bob, and Eve share a 
state \^) abe in ^a™ ® Hg n (g> He, where n is the number of bits of the raw key. The dimension 
d of Alice's and Bob's Hilbert spaces Ha = Hb = C rf is unknown to them and fixed by Eve. The 
measurement yielding the k th outcome of Alice is defined on the k th subspace of Alice and 
chosen by Eve. This measurement may depend on the input Aj k chosen by Alice at step k and on 
the value Ck of a classical register stored in the device, that is, = Mk(Aj k , c&). The classical 
memory c\. can in particular store information about all previous inputs and outputs. Note that 
the quantum device may also have a quantum memory, but this quantum memory at step k of the 
protocol can be seen as part of Alice's state defined in Hh. The value of this quantum memory can 
be passed internally from step k of the protocol to step k + 1 by teleporting it from H k A to H k ^ x 
using the classical memory c/%. The situation is similar for Bob. 

Collective attacks 

In this paper, we focus on collective attacks where Eve applies the same attack to each system of 
Alice and Bob. Specifically, we assume that the total state shared by the three parties has the 
product form |\I> abe) = \ipABE)® n and that the measurements are a function of the current input 
only, e.g., for Alice = M(Aj k ). We thus assume that the devices are memoryless and behave 
identically and independently at each step of the protocol. From now on, we simply write the 
measurement M(Aj) as Aj. 

For collective attacks, the asymptotic secret key rate r in the limit of a key of infinite size 
under one-way classical postprocessing from Bob to Alice is lower-bounded by the Devetak- Winter 
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rate [TO], 

r >r DW = I(A : B X ) - x {Bi : E) , (7) 
which is the difference between the mutual information between Alice and Bob, 

I(A : B{) = H(A ) + H{B X ) - H(A , B{) (8) 

and the Holevo quantity between Eve and Bob 

X(B 1 :E)=S{ PE )- 1 - S(p Elbl ). (9) 

6i=±l 

Here H and S denote the standard Shannon and von Neumann entropies, pe = 
T^ab\'4'abe){''Pabe\ denotes Eve's quantum state after tracing out Alice and Bob's particles, and 
PE\bi 1S Eve's quantum state when Bob has obtained the result b\ for the measurement B\. The op- 
timal collective attack corresponds to the case where the tripartite state \iPabe) is the purification 
of the bipartite state pab shared by Alice and Bob. 

Since we have assumed uniform marginals, the mutual information between Alice and Bob is 
given here by 

I(A :Bx) = 1- h(Q) , (10) 

where h is the binary entropy. 

Note that the rate is given by (|7|) and not by I(Aq : B\) — x(^4o : E) because : E) > x{B\ ■ 
E) holds for our protocol |llj ; it is therefore advantageous for Alice and Bob to do the classical 
postprocessing with public communication from Bob to Alice. 



2.3 Security of our protocol against collective attacks 

To find Eve's optimal collective attack, we have to find the largest value of x(B\ ■ E) compatible 
with the observed parameters Q and S without assuming anything about the physical systems and 
the measurements that are performed. Our main result is the following. 

Theorem. Let \iPabe) be a quantum state and {A\, A2, B\, B2} a set of measurements yielding a 
violation S of the CHSH inequality. Then after Alice and Bob have symmetrized their marginals, 

x(Bl : E) < h (l±VMElj . 

The proof of this Theorem will be given in Subsection 12.41 From this result, it immediately 
follows that the key rate for given observed values of Q and S is 

r^-w-kfhiiMVEiy (12) 

As an illustration, we have plotted in Fig. [2] the key rate for the correlations introduced in Subsec- 
tion 2.1 that satisfy S = 2y/2(l — 2Q) and which arise from the state |$ + ) after going through a 
depolarizing channel. We stress that although with have specified a particular state and particular 
qubit measurements that produce these correlations, we do not assume anything about the imple- 
mentation of the correlations when computing the key rate. For the sake of comparison, we have 
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Figure 2: Extractable secret-key rate against collective attacks in the usual scenario [x(-Bi : E) given 
by eq. ([T3]) ] and in the device-independent scenario [x{B\ ■ E) given by eq. (fTTI) ]. for correlations 
satisfying S = 2^2(1 - 2Q). The key rate is plotted as a function of Q. Remember that the key 
rate for the BB84 protocol in the device-independent scenario is zero. 



also plotted the key rate under the usual assumptions of QKD for the same set of correlations. In 
this case, Alice and Bob have a perfect control of their apparatuses, which we have assumed to 
faithfully perform the qubit measurements given in Subsection 2.1. The protocol is then equivalent 
to Ekert's, which in turn is equivalent to the entanglement-based version of BB84, and one finds 

X (B X :E)<h(Q + S/2V2) , (13) 

as proven m Subsection 2.5. If S = 2^2(1 - 2Q), this expression yields the well-known critical 
QBER of 11% [SO] , to be compared to 7.1% in the device-independent scenario (Fig. [2]). 

To illustrate further the difference between the device-independent scenario and the usual sce- 
nario, we now give an explicit attack which saturates our bound; this example also clarifies why 
the bound (fTTI) is independent of Q. To produce correlations characterized by given values of Q 
and S, Eve sends to Alice and Bob the two-qubit Bell-diagonal state 

Pab(S) = ^ P $+ + ^ , (14) 



where are the projectors on the Bell states \^) = (|00)±|ll))/\/2 and where C = \J (S/2) 2 — 1. 
She defines the measurements to be B\ = a z , E>2 = a x and Aip = -^=^o" z ± -f£=^<j x . Any value 
of Q can be obtained by choosing Aq to be a z with probability 1 — 2Q and to be a randomly 
chosen bit with probability 2Q. One can check that the Holevo information x{Bi ■ E) for the 
state ()14p and the measurement B\ = a z is equal to the righ-hand side of (jlip . i.e., this attack 
saturates our bound. This attack is impossible within the usual assumptions because here not only 
the state pab, but also the measurements taking place in Alice's apparatus depend explicitly on 
the observed values of S and Q. The state (I14p has a nice interpretation: it is the two-qubit state 
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which gives the highest violation S of the CHSH inequality for a given value of the entanglement, 
measured by the concurrence C |21j . Therefore, for the optimal attack, Eve uses the quantum state 
achieving the observed Bell violation with the minimal amount of entanglement between Alice and 
Bob. Since entanglement is a monogamous resource, this allows her to maximize her correlations 
with the honest parties. 

2.4 Proof of upper bound on the Holevo quantity 

The proof of the bound (11 If) was only sketched in Ref . [15] . We present here all the details of that 
proof. For clarity, we divide the proof in four steps. 

2.4.1 Step 1: Reduction to calculations on two qubits 

Lemma 1. It is not restrictive to suppose that Eve sends to Alice and Bob a mixture pab = 
^2\P\P\ of two-qubit states, together with a classical ancilla (known to her) that carries the value 
A and determines which measurements Af and Bj are to be used on p\. 

The proof of this first statement relies critically on the simplicity of the CHSH inequality (two 
binary settings on each side). We present the argument for Alice, the same holds for Bob. First, 
since any generalized measurement (POVM) can be viewed as a von Neumann measurement in 
a larger Hilbert space [22], we may assume that the two measurements A\,A% of Alice are von 
Neumann measurements, if necessary by including ancillas in the state pab shared by Alice and 
Bob. Thus A\ and A2 are hermitian operators on C d with eigenvalues ±1. We can then use the 
following lemma. 

Lemma 2. Let A\ and A2 be Hermitian operators with eigenvalues equal toil acting on a Hilbert 
space H of finite or countable infinite dimension. Then we can decompose the Hilbert space H as 
a direct sum 

H = @ a H 2 a (15) 

such that dim(^) < 2 for all a, and such that both A\ and A2 act within H 2 , that is, if \ip) E H\, 
then A\\ty) G H 2 a and A 2 \ip) G H 2 a . 

Proof. Previous proofs of this result have been obtained independently by Tsirelson [23J and 
Masanes |24] , Here, we provide an alternative and possibly simpler proof. 

Note that since the eigenvectors of A\ and A2 are ±1, these operators square to the identity: 
A\ = A\ = 1. Therefore A2A1 is a unitary operator. Let \a) be an eigenvector of A 2 A\: 

A 2 Ai\a) = u)\a) with |cj| = 1. (16) 

Then \a) = A2\a) is also an eigenvector of A2A1 with eigenvalue uJ, since A^ilci) = j42j4i^2|a) = 
^(^b^i^lai) = WA^if)) = uJ\a). As A2A1 is unitary, its eigenvectors span the entire Hilbert space 
H. It follows that H can be decomposed as the direct sum H = (B a H 2 , where H% = span{|a), \a)} 
is (at most) two-dimensional. 

It remains to show that Ai and A2 act within H 2 . By definition A 2 \ a) = \a) and ^Ict) = \a). 
On the other hand, v4i|a) = ^li^lo) = u\a) and >li|a) = j4iA2|a) = uJ\a). Note that in the case 
where u = ±1, A\ = ±^2 on H 2 , that is A\ and A2 are identical operators up to a phase. □ 
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Proof of LemmaQl We can rephrase Lemma [2] as saying that Aj = ^2 a PaAjP a where the P a s 
are orthogonal projectors of rank 1 or 2. Prom Alice's standpoint, the measurement of Ai thus 
amounts at projecting in one of the (at most) two-dimensional subspaces defined by the projectors 
P a . followed by a measurement of the reduced observable P a AiP a = af • a. Clearly, it cannot be 
worse for Eve to perform the projection herself before sending the state to Alice and learn the value 
of a. The same holds for Bob. We conclude that without loss of generality, in each run of the 
experiment Alice and Bob receive a two-qubit state. The deviation from usual proofs of security of 
QKD lies in the fact that the measurements to be applied can depend explicitly on the state sent 
by Eve. □ 

2.4.2 Step 2: Reduction to Bell-diagonal states of two qubits 

Let |$±) = l/v/2 (|00) ± |11)) and = 1/^2 (|01) ± 1 10>) be the four Bell states. 

Lemma 3. In the basis of Bell states ordered as {\Q + ),\ty~),\<&~),\^ + )}, each state p\ can be 
taken to be a Bell- diagonal state of the form 



Px 



( A $+ \ 
A<j>- 

V A„ + j 



(17) 



with eigenvalues satisfying 



A$+ > Avj/- , A<j>- > Avj,+ . (18) 
Furthermore, the measurements Af and Bj can be taken to be measurements in the (x, z) plane. 

Proof. For fixed A (we now omit the index A), we can label the axis of the Bloch sphere on Alice's 
side in such a way that a\ and 3,2 define the (x, z) plane; and similarly on Bob's side. 

Eve is a priori distributing any two-qubit state p of which she holds a purification. Now, recall 
that we have supposed, without loss of generality, that all the marginals are uniformly random. 
Knowing that Alice and Bob are going to symmetrize their marginals, Eve does not loose anything 
in providing them a state with the suitable symmetry. The reason is as follows. First note that 
since the (classical) randomization protocol that ensures (at) = (bj) = is done by Alice and Bob 
through public communication, we can as well assume that it is Eve who does it, i.e., she flips the 
value of each outcome bit with probability one half. But because the measurements of Alice and 
Bob are in the (x, z) plane, we can equivalently, i.e., without changing Eve's information, view the 
classical flipping of the outcomes as the quantum operation p — > (a y (g> a y )p{o y £g> a y ) on the state 
p. We conclude that it is not restrictive to assume that Eve is in fact sending the mixture 

P = 2 \P + ( a v a y)p( a v ® a v)] ' ( 19 ) 

i.e., that she is sending a state invariant under a y ®a y . 

Now, | < I )+ ) and are eigenstates of o~ y (g> o~ y for the eigenvalue —1, whereas |3> - ) and |^ + ) 
are eigenstates of a y <8> o~ y for the eigenvalue +1. Consequently, p is obtained from p by erasing 
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all the coherences between states with different eigenvalues. Explicitly, in the basis of Bell states, 
ordered as {l^ 4 "), |*~), |$~), |^ + )} we have 



/ A$+ 



Tie 
A\j, 



\ 



r 2 e 



A$- r 2 e 



i(j>2 



/ 



(20) 



where all the non-zero elements coincide with those of the original p. 

We now use some additional freedom that is left in the labeling: we can select any two orthogonal 
axes in the (x, z) plane to be labeled x and z, and we can also choose their orientation. We make 
use of this freedom to bring p to the form 



/ A<j,+ ir\ 
-%T\ A^- 

V 



\ 

A.J,- ir 2 
-ir 2 A^+ / 



(21) 



with r\ and r 2 real and with the diagonal elements arranged as 

A(j>+ > Avj,- , A<j>- > A l j / + . 
Indeed, let R y (9) = cos|l + i sin \<J y : by applying R y (a) (8> Ry{(3) with 

2r\ cos (pi . . 2r 2 cos (ft 2 



tan(a — (3) 



A^>+ — Avj,- 



tan(a + f3) 



A 



(22) 



(23) 



the off-diagonal elements become purely imaginary. In order to further arrange the diagonal ele- 
ments according to (|22p . one can make the following extra rotations: 



in order to relabel <J> + <-> 
i.e. a = —j3 



2 > 



^ without changing the others, one sets a — (3 = it and a + (3 = 

• in order to relabel <5 _ <-> \t r+ without changing the others, one sets a — (3 = and a + (3 = it 
i.e. a = (3 = ^; 

• in order to relabel both, one takes the sum of the previous ones i.e. a = it and (3 = 0. 

In this way one fixes A$+ > A^- and A$- > A^,+ , i.e. the order of the diagonal elements in each 
sector. 

Finally, we repeat an argument similar to the one given above: since p and its conjugate p* 
produce the same statistics for Alice and Bob's measurements and provide Eve with the same 
information, we can suppose without loss of generality that Alice and Bob rather receive the Bell- 
diagonal mixture 



P\ 



(p + P* 



\ 

Agr+ / 



(24) 



with the eigenvalues satisfying 



□ 
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2.4.3 Step 3: Explicit calculation of the bound 

Lemma 4. For a Bell-diagonal state p\ (11) with eigenvalues A ordered as in eq. \18\) and for 

measurements in the (x, z) plane, 



xx{Bi:E)< _ h [i±VisuwE±y (25) 

where S\ is the largest violation of the CHSH inequality by the state p\. 

In order to prove LemmaHwe have to bound x{B\ '■ E) = S(pe) — J2b 1 =±iP(bi)S {PE\bi)- For 
the Bell diagonal state (fTT|) one has 

XX {Bi :E) = H(\)-~[S {p E \ bl =i) + S {p E \ h =-i)] , (26) 

where H is Shannon entropy and where we have adopted the notation A = {A$+, A<j,-, A,j,+ , A^,-}. 
We divide the proof of Lemma S] into three parts. In the first part, we prove that, for any given Bell- 
diagonal state, Eve's best choice for Bob's measurement is B\ = o~ z , which allows to express (|26p 
solely in term of the eigenvalues A. In the second part, we obtain an inequality between entropies. 
In the third part, we compute the maximal violation of the CHSH inequality for states of the form 

(HZD. 

Step 3, Part 1: Upper bound for given Bell-diagonal state 

Lemma 5. For a Bell-diagonal state p\ with eigenvalues A ordered as in U8\) and for measurements 
in the (x, z) plane, 

X x(Bi : E) < H (A) - h(X^ + + A*-) . (27) 
Proof. Let us compute S (/Oe^). First, one gives Eve the purification of py. 

\^)abe = V / ^Wl^ + )|ei> + V / A^|^->|e 2 ) + yA^7| |e 3 ) + A /A^ _ | ) | e 4 ) (28) 

with (ei\ej) = 5ij. By tracing Alice out, one obtains pbe- 

Now, Bob measures in the x, z plane. His measurement B\ can be written as 

B\ = cos ip a z + sin ip a x . (29) 

After the measurement, the system is projected in one of the eigenstates of B\ which can be written 



as |&i) = J 1+6l 2 cos y |0) + &iW 1 ~ bl 2 cos ^ |l) when <p E [0,tt]. The case if G [ir,2ir] corresponds to a 
flip of the outcome 6i , but as the result that follows is independent of the value of b\ , it is sufficient 
to consider p £ [0, tt] . The reduced density matrix of Eve conditioned on the value of b\ is given by 

PE\ bl = |^ + (&i))(^+(6i)| + |^-(-&i><^-(-6i)| , (30) 
where we have defined the two non-normalized states 



\ VM = / + bl "° S n v ^|e 1 )+a v / A^|e 2 ) 



/ 1 — b\ cos tp 

-b\ 



\A*+I e 3) + o-\/\q,-\e4) . (31) 
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The calculation of the eigenvalues of a rank two matrix is a standard procedure. The result is that 
the eigenvalues of p^l&i are independent of 61 and are given by 

A± = - (l ± ~ A*-) 2 + (A$- - A^+) 2 + 2cos2^(A $ + - A*-)(A$- - A*+)) . (32) 

Therefore we have obtained S (ae[& 1= i) = S (pE\bi=-i) = h(A+), that is 

X x{Bi : E) = H (\) - h(A+) . (33) 

Now, for any set of A's, Eve's information is the largest for the choice of ip that minimizes h(A + ), 
which is the one for which the difference A + — A_ is the largest. Because of (|22p . the product 
(A$+ — A#-)(A$- — A^+) is non-negative and the maximum is obtained for ip = 0, i.e., B\ = a z . 
This gives the upper bound that we wanted 

Xx {Bi : E) < H (A) - h{\*+ + A*- ) . (34) 

□ 



Step 3, Part 2: Entropic Inequality 

Lemma 6. Let A be probabilities, i.e. A$+, A$- , A^+, A#- >0 and A$+ + A<j,- + A^+ + A$- = 1. 
Lei i? 2 = (A $ + - A^-) 2 + (A$- - A^+) 2 . T/ien 

F(A)=JT(A)-/i(A*++A*_) < h ^ 1 + ^ fi2 - _l j if B?> 1/2 (35) 

< 1 if R 2 < 1/2, (36) 
with equality in eq. [35\) if and only if A$± = or A^± = 0. 
Proof. We can parameterize the A's as: 

A<j,+ 
A(j>- 
Avj,- 

A$+ = - A - ^ sin 6 - 5 . (37) 
The conditions A$+ , A$- , A^+ , A^- > imply 

-^ + ||c O s0|<£<~-||sin0|. (38) 



1 




R l 




4 


+ 


— cos 6 
2 


> + s 


1 




fi ■ /, 




4 


+ 


— 8111 P 

2 


-5 


1 








4 




— cos 6 


> + s 


1 




^ ■ a 




4 




— sm 
2 


-5 



There is a solution for 5 if and only if 



cos 6\ + I sin 9\ < — . (39) 
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This condition is non trivial if R> l/y/2. 

When R > l/v% the extremal values of 9, solution of | cos 6*| + |sin0| = ^, correspond to 
A$+ = or A,j,- = 0, and A$- = or A^,+ = 0. When both A$± = or both A^± = 0, 
F(X) = h(l/2 + (V2i? 2 -l)/2) and one has equality in eq. ([35]) . In the other cases, F(X) = and 
the inequality (|35p is satisfied. Our strategy is to prove that when R > 1/^/2, the maximum of 
F(X) occurs when | cos9\ + | sin#| = i.e., at the edge of the allowed domain for 9. This will 
establish ([35]) . 

Let us start by finding the maximum of F for fixed R and 9. To this end, we compute the 
derivative of F with respect to 5 

d 

-q^ f (A) = - log 2 \$+ + log 2 A,j,- + log 2 A,j,+ - log 2 Avp- . (40) 
The derivative with respect to 5 vanishes if and only if A$+A^,- = A$-A^+, which is equivalent to 

5 = 5* (9) = ^ (cos 2 9 - sin 2 9) . (41) 

Note that 5* (9) always belongs to the domain ([38]) for 9 satisfying ([39]) . i.e., it is an extremum of 
F. We also have that 

= -T- ~ T~ ~ Y~ ~ T~ < °' (42) 

Ofi Aft+ Aft- Avj,+ A^/- 

which shows that 5* (9) is a maximum of F (not a minimum). 

We have thus identified the unique maximum of F at fixed 9. Let us now take the optimal value 
of 5 = 5* (9), and let 9 vary. We compute the derivative of F with respect to 9 along the curve 
5 = 5*{9): 

d _. 8 _. d5*(9) fl 8 _. 

— F\s = s* = —F\s=s* — -77. 1- -k-F \s=s* = -77-F \s=s* 

d9 os d9 O0 do 

— ^ cos 9 log ( ^* ~^* + ^ ~^ ) + ^ sin # log ( ^ ' J (43) 

2 y A,j,+ (Aft+ + A$-) J 2 \A^-(A$+ + A$-)/ 

Now, when 5 = 5*, we have the identities: 

A<j,+ A^,+ 1 R R . 

- — I cos 9 sm 9 , (44) 



Acj>+ + A<j,- Avj/+ + Avj,- 2 2 2 

and 



Aa>- Aiir- 1 i2 i2 . 

cos + — sin . (45) 



A$+ + A,j,- Avj/+ + A^- 2 2 2 

Using these relations we obtain 

d „, R , „ „ s , 1 — 22 cos 9 + R sin ... 

= -- cos0 + sin0 log 2 — — 46 

2 1 + it cos 9 — R sm (7 

This quantity vanishes (i.e. we have an extremum) if and only if cos + sin = or cos — sin 9 = 0, 
that is 9 = ±7r/4,±3vr/4. 

When i? > 1/V2 the points = ±7r/4, ±37r/4 lie outside the allowed domain for 0. Hence 
the maximum of G occurs when 9 lies at the edge of its allowed domain. As discussed above, this 
proves our claim when R > l/y/2. 

When R < 1/V2, the extrema can be reached. Note that 9 = ±7r/4, ±37r/4 implies 5* = 0. 
One then easily checks that the maximum of F occurs when 9 = vr/4, — 37r/4, whereupon F = 1. 
This establishes eq. ([36]) . □ 



16 



Step 3, Part 3: Violation of CHSH 



Lemma 7. The maximal violation S\ of the CHSH inequality for a Bell diagonal state p\ given by 
11) with eigenvalues ordered according to U8\) is 



S A = max{2V2V(A$+ -A*-) 2 + (A $ - -A*+) 2 , 2^2 ^(A $+ - A*+) 2 + (A$- - A^-) 2 j (47) 

Proof. For any given two-qubit state p, the maximum value of the CHSH expression can be com- 
puted using the following recipe [25]: let T be the tensor with entries tij = TV [<7j ® <7j p], and let n 
and T2 be the two largest eigenvalues of the symmetric matrix T T T. Then, for optimal measurement 
S = 2Vn + r 2 . 

We are working with the Bell-diagonal state f|17)) . for which 



Ac]>+ — A<J>- + AvJ;+ — AvJ,- 

— A<j,+ + Acj>- + Avji+ — Avj>— | . (48) 

A<j>+ + A<j>- — Ag/+ — Avp- 



Taking into account the order (|18h . one has T 2Z > |T xa; |. Hence either 

n + r 2 = T 2 , + Tl = 2 [(A*+ - A„-) 2 + (A - - A* + ) 2 ] , (49) 

or 

n + r 2 = T 2 , + T 2 y = 2 [(A ft+ - A*+) 2 + (A*- - A^,-) 2 ] . (50) 

□ 

We can now provide the proof of lemma HI 

Proof of lemma^ In the case that S\ is equal to the first expression in (|47p. Lemma H] immediately 
follows from combining Lemmas [5] and since S\ = 2y/2R. Note that the threshold R 2 = 1/2 in 
Lemma [6] corresponds to the threshold for violating the CHSH inequality. 

In the other case, we once again combine Lemmas [5] and [6j and note that the function F in 
Lemma [5] is invariant under permutation of A^,+ and A^,- with A$+, A<j,- fixed. □ 



2.4.4 Step 4: Convexity argument 

To conclude the proof of the Theorem, note that if Eve sends a mixture of Bell-diagonal states 
Y1,\P\ Pa an d chooses the measurements to be in the (x, z) plane, then x{E± ■ E) = Y1\P^ X\(Ei ■ 
E). Using ([25]) . we then find x{E\ '■ E) < ^2^p\ F(S\) < FQ2\Px S\), where the last inequality 
holds because F is concave. But since the observed violation S of CHSH is necessarily such that 
S < Y1\P\S\ an d since F is a monotonically decreasing function, we find x(B\ '■ E) < F(S). 

2.5 Derivation of the bound (1131) in the standard scenario 

In the standard scenario, Alice and Bob know that they are measuring qubits and have set their 
measurement settings in the best possible way for the reference state |$ + ). We assume one such 
possible choice (all the others being equivalent), the one specified in Subsection 2.1: Aq = B\ = a z , 
A\ = (a z + o~ x )y/2, A2 = [p z — a x )V2, B2 = a x . Thus the CHSH polynomial becomes 

CHSH = V2 (a x ®a x + a z ® a z ) . (51) 
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The calculation of the unconditional security bound follows exactly the usual one, as presented for 
instance in Appendix A of Ref. {26]. As well-known, in the usual BB84 protocol, the measured 
parameters are the error rate in the Z and in the X basis, e zx ; if the Z basis is used for the key 
and the X basis for parameter estimation, Eve's information is bounded by 

X (A Z : E) = X (Bz : E) = h{e x ) . (52) 

In our case, e z = Q; but instead of e x , the parameter from which Eve's information is inferred 
is the average value S of the CHSH polynomial. Given (|5ip . the evaluation of 5 on a Bell-diagonal 
state is straightforward: S = 2\/2(Ai — A4). Now, with the parametrization Ai = (1 — £ 2 )(1 — u) 
and A4 = e z v, we immediately obtain Ai — A4 = 1 — e z — [(1 — e z )u + e z v] = 1 — e z — e x because of 
Eq. (A7) of Ref. [26]. Therefore S = 2\/2(l - Q - e x ) i.e. 

e x = l-Q- S/2V2. (53) 

Since h(e x ) = h(l — e x ), this leads immediately to (fT3j) , 

3 Loopholes in Bell experiments and DIQKD 

The security of our protocol, like the security of any DIQKD protocol, relies on the violation of a 
Bell inequality. All experimental tests of Bell inequalities that have been made so far, however, are 
subject to at least one of several loopholes and therefore admit in principle a local description. We 
discuss here how these loopholes can impact DIQKD protocols. 

3.1 Loopholes in Bell experiments 

Basically, a loophole-free Bell experiment requires two ingredients: i) no information about the 
input of one party should be known to the other party before she has produced her output; ii) high 
enough detection efficiencies. 

If the first requirement is not fulfilled, the premises of Bell's theorem are not satisfied and it is 
trivial for a classical model to account for the apparent non-locality of the observed correlations. 
In practice, this means that the measurements should be carried out sufficiently fast and far apart 
from each other so that no sub-luminal influence can propagate from the choice of measurement 
on one wing to the measurement outcome on the other wing. Additionally, the local choices 
of measurement should not be determined in advance, i.e., they should be truly random events. 
Failure to satisfy one of these two conditions is known as the locality loophole [5]. 

The second requirement arises from the fact that in practice not all signals are detected by the 
measuring devices, either because of inefficiencies in the devices themselves, or because of particle 
losses on the path from the source to the detectors. The detection loophole [27] exploits the idea 
that it is a local variable that determines whether a signal will be registered or not. The particle is 
detected only if the setting of the measuring device is in agreement with a predetermined scheme. 
In this way, apparently non-local correlations can be reproduced by a purely local model provided 
that the efficiency r/ of the detectors is below a certain threshold. In general the efficiency necessary 
to rule out a local description depends on the Bell inequality that is tested, and is quite high for 
Bell inequalities with low numbers of inputs and outputs (for the CHSH inequality, one must have 
7] > 82.8%). It is an open question whether there exist Bell inequalities (with reasonably many 
inputs and outputs) allowing significantly lower detection efficiencies (see e.g. [28 \ \29 \ [30]). From 
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the point of view of the data analysis, to decide whether an experiment with inefficient detector has 
produced a genuine violation of a Bell inequality, all measurement events, including no-detection 
events, should be taken into account in the non-locality test. 

All Bell experiments performed so far suffer from (at least) one of the two above loopholes. 
On the one hand, photonic experiments can close the locality loophole [31\ I33j . but cannot 
reach the desired detection efficiencies. On the other hand, experiments carried out on entangled 
ions \34\ [35] manage to close the detection loophole, but are unsatisfactory from the point of view 
of locality. Note that other loopholes or variants of the above loophole have also been identified, 
such as the coincidence-time loophole [36], but these are not as problematic. 

3.2 Loopholes from the perspective of DIQKD 

When considering the implications of these loopholes for DIQKD, a first point to realize is that 
they are mainly a technological problem, but do not in any way undermine the concept of DIQKD 
itself. An eavesdropper trying to exploit one of the above loopholes would clearly have to tamper 
with Alice and Bob's devices, but it is not necessary for Alice and Bob to "trust" or characterize the 
inner working of their devices to be sure that all loopholes are closed. This can be decided solely by 
looking at the classical input-output relations produced by the quantum devices (and possibly their 
timing). In other words, we do not have to leave the paradigm of DIQKD to guarantee the security 
of the protocol (though of course with present-day technology it might be difficult to construct 
devices that pass such security tests). 

A second important observation is that there is a fundamental difference between a Bell exper- 
iment whose aim is to establish the non-local character of Nature and a quantum key distribution 
scheme based on the violation of a Bell inequality. In the first case, we are trying to rule out a 
whole set of models of Nature (including models that can overcome the laws of physics as they are 
currently known), while in the second case, we are merely fighting an eavesdropper limited by the 
laws of quantum physics. 

Seen in this light, the locality loophole is not problematic in our context. In usual Bell exper- 
iments, the locality loophole is dealt with by enforcing a space-like separation between Alice and 
Bob. This guarantee that no sub-luminal signals (including signals mediated by some yet-unknown 
theory) could have traveled between Alice's and Bob's devices. In the context of DIQKD, it is suffi- 
cient to guarantee that no quantum signals (e.g. no photon) can travel from Alice to Bob. This can 
be enforced by a proper isolation of Alice's and Bob's locations. As stated in Section 1.1, we make 
here the basic assumption, shared by usual QKD and without which cryptography wouldn't make 
any sense, that Alice's and Bob's locations are secure, in the sense that no unwanted information 
can leak out to the outside. Whether this condition is fulfilled is an important question in practice, 
but it is totally alien to quantum key distribution, whose aim is to establish a secret key between 
two parties given that this assumption is satisfied. In a similar way, we assume here, as in usual 
QKD, that Alice and Bob choose their measuring settings with trusted random number generators 
whose outputs are unknown to Eve. The locality loophole is thus not a fundamental loophole in 
the context of DIQKD and can be dealt with using today's technology. 

The detection loophole, on the other hand, is a much more complicated issue. Experimental 
tests of non-locality circumvent this problem by discarding no-detection events and recording only 
the events where both measuring devices have produced an answer. This amounts to perform a 
post-selection on the measurement data. This post-selection is usually justified by the fair sampling 
assumption, which says that the sample of detected particles is a fair sample of the set of all particles, 
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Detector efficiency (r\) 

Figure 3: Key rate as a function of detection efficiency for the ideal correlations coming from the 
maximally entangled state \<p + ) and satisfying Q = and S = 2y/2, obtained by replacing the 
absence of a click by the outcome —1. The efficiency threshold above which a positive key rate can 
be extracted is rj = 0.924. 



i.e., that there are no correlations between the state of the particles and their detection probability. 
Although it may be very reasonable to expect such a condition to hold for any realistic model 
of Nature, it is clearly unjustified in the context of DIQKD, where we assume that the quantum 
devices are provided by an untrusted party (37] [38]. In our context, it is thus crucial to close the 
detection loophole. This has already been done for some experiments [34|, [35] although not yet on 
distances relevant for QKD. 

Note that a proper security analysis of DIQKD with inefficient detectors has to take into account 
all measurement outcomes produced by the devices, which in our case would include the outcomes 
"1", and the no-detection outcome "_L". A possible strategy to apply our proof to this new 

situation simply consists in viewing the absence of a click "_L" as a outcome, thus replacing 
a 3-output device by an effective 2-output device. To give an idea of the amount of detection 
inefficiency that can be tolerated in this way, we have plotted in Figure [3] the key rate as a function 
of the efficiency of the detectors for the ideal set of quantum correlations that give the maximal 
violation of the CHSH inequality, obtained when measuring a \(j) + ) state. The key rate is given by 
Eq. (P2J) with Q = r)(l- r?) and S = 2^/2r? 2 + 2(1 - r/) 2 . 

3.3 Ideas for overcoming the detection loophole 

As mentioned above, the experiment of [35], which is based on entanglement swapping between two 
ions separated by about 1 meter, is immune to the detection loophole. A natural way to implement 
our DIQKD protocol would thus be to improve this experiment. This would require extending the 
distance between the ions, but also improving the visibility and significantly improving the data 
rate (currently one event every 39 seconds). This approach could of course in principle also be 
implemented with neutral atoms, quantum dots, etc. Here we discuss ideas on how the problem of 
the detection loophole could be solved (at least partially) within an all photonic implementation, 
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using heralded quantum memories and trusted detectors. 

In a realistic quantum key distribution scenario there are basically two kinds of losses that 
should be studied separately: line losses and detector losses. Line losses are due (in practice) to the 
imperfections of the quantum channel between Alice and Bob. However, as far as the theoretical 
security analysis is concerned, these losses should be assumed to be the result of Eve's actions, since 
Alice and Bob do not control the quantum channel. One possibility for Alice and Bob to overcome 
this problem is to use heralded quantum memories. Using this technique, Alice and Bob can know 
whether their respective memory device is loaded or not, that is whether a photon really arrived 
in their device or not. In the case that both memories are loaded, they release the photons and 
perform their measurements. This procedure thus implements a kind of quantum non-demolition 
measurement of the incoming states, which allows Alice and Bob to get rid of the losses of the 
quantum channel. This should be realizable within a few years, thanks to the development of 
quantum repeaters [321 SO] • 

The second type of losses, the detector losses, are probably more crucial. We can, however, 
consider the situation where Alice's and Bob's detectors are not part of the uncharacterized quantum 
devices. That is, the quantum devices of Alice and Bob are viewed as black-boxes that receive some 
classical input and produce an output signal which is later detected, and transformed into the final 
classical outcome, by a separate detectoiH. The detectors may be assumed to be trusted by and 
under the control of Alice and Bob or they can be tested independently from the rest of the quantum 
devices. Alice and Bob can for instance do a tomography of their quantum detectors [411 1421 133") , 144], 
which consists in determining the measurement that these detectors actually perform. Such detector 
tomography, which has been recently demonstrated experimentally in [44J, clearly limits Eve's 
ability to exploit the detection loophole. This kind of analysis may require to elaborate counter- 
measures against some sort of a trojan-horse attacks on the detectors, in which Alice's device 
(manufactured by Eve), sometimes sends nothing and sometimes sends bright pulses in order to 
ensure that a detection occurs. We believe that the power of such attacks can be severely constrained 
by placing multiple detectors instead of one at each output mode of Alice's and Bob's devices [431 . 

In the scenario that we outlined in the preceding paragraph, we have made a move to a situation 
that is intermediate between usual QKD, where all devices are assumed to be trusted, and DIQKD, 
where all quantum devices are untrusted. In this new situation, Alice and Bob either need to trust 
their detectors (in the same way as that they trust their random number generators or the classical 
devices) or they need to test them with a trusted calibration device (that they should get from a 
different provider than Eve) . Whether this is a reasonable or practical scenario to consider depends 
on the respective difficulty of testing the detectors vs the entire quantum devices, and on the 
advantages that may follow from trusting part of the quantum devices (this may still allow for 
instance to forget about side-channels, or imperfections in the measurement bases). 

4 Discussion and open questions 

Identifying the minimal set of physical assumptions allowing secure key distribution is a fascinating 
problem, both from a fundamental and an applied point of view. DIQKD possibly represents 

2 Note, we are not considering here the "detector" as a complete measurement device, but only as the part of the 
device that clicks or not whenever it is hit by one or several photons. In particular, all the machinery that determines 
the choice of measurement bases (and which may include beam-splitters, polarizers, etc.) is still assumed to be part 
of the black-box device. 
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the ultimate step in this direction, since its security relies only on a fundamental set of basic 
assumptions: (i) access to secure locations, (ii) trusted randomness, (hi) trusted classical processing 
devices, (iv) an authenticated classical channel, (v) and finally the general validity of a physical 
theory, quantum theory. In this work, we have shown that for the restricted scenario of collective 
attacks, secure DIQDK is indeed possible. There remain, however, plenty of interesting open 
questions in the device-independent scenario. 

From an applied point of view, the most relevant questions are related to loopholes in Bell tests, 
particularly the detection loophole, as discussed in Section [3j The detection loophole, usually seen 
mostly as a foundational problem, thus becomes a relevant issue from an applied perspective, with 
important implications for cryptography H. From a theoretical point of view, it would be highly 
desirable to extend the security proof presented here to other scenarios, the ultimate goal being a 
general security proof. We list below several possible directions to extend our results. 

• As we discussed, the violation of a Bell inequality represents a necessary condition for secure 
DIQKD. It would be interesting, then, to consider other protocols, based on different Bell 
inequalities, even under the additional assumption of collective attacks. Some interesting 
questions are: (i) how does the security of DIQKD change when using larger alphabets, 
especially when compared with standard QKD [471 |48| 149 j ? (ii) can one establish more 
general relations bounding Eve's information from the amount of observed Bell inequality 
violation? 

• A key ingredient in our security proof is the fact that it is possible to reduce the whole 
analysis to a two-qubit optimization problem. This is because any pair of quantum binary 
measurements can be decomposed as the direct sum of pairs of measurements acting on two- 
dimensional spaces. Do similar results exist for more complex scenarios? More generally, 
are all possible bipartite quantum correlations for m measurements of n outcomes, for finite 
m and n, attainable by measuring finite-dimensional systems [50]? Some progress on this 
question was recently obtained in Refs. [511 152j . where it was shown that infinite dimensional 
systems are needed to generate all two-outcome (n = 2) quantum correlations, thus proving 
a conjecture made in Ref. [53J. The proof of this result, however, is only valid when m — ► oo. 

• Our security analysis works for the case of one-way reconciliation protocols. How is the 
security of the protocol modified when two-way reconciliation techniques are considered? 
Does then a Bell inequality violation represent a sufficient condition for security? In this 
direction, it was shown in Ref. |54J that all correlations violating a Bell inequality contain 
some form of secrecy, although not necessarily distillable into a key. 

• In the spirit of removing the largest number of assumptions necessary for the security of QKD, 
an interesting extension has been anticipated by Kofler, Paterek and Brukner |55j . They 
noticed that quantum cryptography may be secure even when one allows the eavesdropper to 
have partial information about the measurement settings. To illustrate this scenario on our 
protocol, we suppose that in each run Eve has some probability to make a correct guess on the 
choice of measurement settings. The best way to model this situation from the perspective of 
Eve is to have an additional bit / ("flag") such that / = 1 guarantees her guess to be correct, 
while / = implies that her guess is uncorrelated with the real settings: indeed, any scenario 
with partial knowledge may be obtained by Eve forgetting the value of /. We suppose that 

3 Recently, the role of the detector efficiency loophole in standard QKD has been analyzed in Ref. |46j 
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the case / = 1 happens with probability q and / = with probability 1 — q. When Eve 
has full information on Bob's measurement choice, she can fix in advance Alice's and Bob's 
outcome while at the same time engineering a violation of CHSH up to the algebraic limit of 
4. If Eve follows this strategy, the observed violation will then be S = Aq + (1 — q)S' and the 
security bound will be given by 

xiBuE) = q+(l-q)h([l + ^(S'/2f-l}/2) . (54) 

This proves that there cannot be any security if q > v2 — 1 ~ 41%. It would be interesting 
to consider more elaborated situations, e.g. those in which Eve may have partial information 
about sequences of measurement settings. 

• In standard QKD, it is known that security against collective attacks implies security against 
the most general type of attacks. This follows from an application of the exponential quantum 
De Finetti theorem of Ref. [56], but can also be proven trough a direct argument [16] . Does a 
similar result hold in the device-independent scenario? In particular can the exponential de 
Finetti theorem [56J be extended to the device-independent scenario? If this was the case, our 
security proof would automatically be promoted to a general security proof. Some preliminary 
results in this direction have been obtained in Refs. [57} 158] . where two different versions of 
a de Finetti theorem for general no-signaling probability distributions were derived. 

Or could it be that collective attacks are strictly weaker than general attacks in the device- 
independent scenario? Here the main difficulty for deriving a general security proof is that, 
contrary to standard QKD, the devices may behave in a way that depends on previous inputs 
and outputs. In particular, the measurement setting could be different in each round and 
depend on the results of previous measurements. It is not clear what role such memory effects 
play in the device-independent scenario, and whether it would be possible to find an explicit 
attack exploiting them which would outperform any collective (hence memoryless) attack. 

• A final possibility would be to adapt the techniques developed in Refs. [131 EL valid for 
the general case of no-signaling correlations, to the quantum scenario. The results of these 
works prove the security of QKD protocols against eavesdroppers limited only by the no- 
signaling principle. Unfortunately, the corresponding key rates and noise-resistance are at 
present unpractical when applied to correlations that can be obtained by measuring quantum 
states. A natural question is then: how can one incorporate the constraints associated to 
the quantum formalism to these techniques in order to obtain better key rates and better 
noise-resistance for quantum correlations? 
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